Thycotic’s Cyber Security Publication

Six Key Differences Between Password Management Tools and PAM

September 4th, 2018

In the past, Privilege Access Management (PAM) was accessible only to large enterprises with skilled IT teams. Feature-heavy PAM tools became more and more complex and expensive to manage. Meanwhile, security-conscious small and medium businesses were relegated to using password tools designed primarily for consumers.

While consumer password tools provide a “password vault” to store user credentials, they don’t offer the same privilege protection as PAM. Consumer-grade password management tools are not sufficient to keep your organization safe.

We believe every organization has a right to enterprise-worthy PAM capabilities. These days, modern PAM tools are built with intuitive interfaces and simple deployment templates that give SMBs access to the same PAM capabilities as larger organizations. With 61% of cyber attacks aimed at small businesses, every organization needs to understand the differences between password management and Privileged Access Management so you can make an educated decision when choosing the right mix of cyber security tools.

Password Managers and Privilege Access Management are completely different things

What’s the difference between Password Management and Privileged Access Management?

This is how Frank Dickson, Research Vice President, Worldwide Security Products at IDC, describes the difference: “Password managers are just that. They allow a user to save a potpourri of user accounts, IDs and associated passwords. It is similar to a single-sign-on “lite” solution.”

In contrast, Privileged Access Management solutions offer much greater visibility and control that organizations require to protect sensitive data, meet regulatory requirements and manage at scale.

According to Dickson: “Password managers and Privilege Access Management are completely different things.”

Let’s explore the key differences between the two types of tools:

1.Protecting all privileges, not just user passwords

If you are only concerned about protecting passwords tied to individual users, a consumer-grade password management tool might be for you. But if you’re a growing, evolving organization with diverse technology and a dispersed workforce, a password management system won’t be able to keep pace with your requirements.

Unlike password management tools—or password managers—Privileged Access Management protects all types of enterprise passwords and credentials that control access to IT infrastructure. Back to Dickson: “Privileged Access Management provides fine-grained authorization for user accounts not assigned to a normal user—superusers, shared accounts, service accounts, and so forth.”

2.Two-Factor Authentication

A simple password doesn’t ensure users are who they say they are. Security frameworks and compliance mandates call for a second level of identification before users should be allowed to access sensitive information. If you are only using a password management tool to secure your passwords, you would need to add on two-factor authorization in order to meet security requirements.

3.Complete Visibility

With a basic password “vault” an IT team has no way to know if the passwords users choose to store inside represent all of the passwords they use to access sensitive data, or only a subset. Only a PAM tool can discover and manage all privileged accounts and associated passwords in your organization.

4.Centralized Management

Password management tools place the burden on individual users to change passwords regularly, and make sure all associated systems and users are kept up to date.

PAM solutions, on the other hand, allow for centralized, simultaneous password changing, or rotation. They ensure that when passwords are changed all dependencies—systems that are connected to those passwords—can still authenticate and connect. Hooks within PAM systems allow you to define what you would like to happen after a password has changed. For example, do you want to lock down systems? Additionally, session launchers within PAM tools allow you to give people access to your IT systems, perhaps only temporarily, without providing them access to a password. This is particularly helpful for organizations that use numerous contractors and third-parties.

5.Monitoring and Reporting for Compliance

Securing passwords that provide access is not enough to satisfy auditors that you are keeping privileged accounts safe. You need to know what users did while accessing those privileged accounts. And, you need to report on that activity without spending hours combing through logs. While consumer-grade password management tools may allow for some basic reports, they typically do not include an immutable audit log, customizable reports, and session monitoring or recording.

“Session recording capability to enable forensics and compliance reports,” is a key capability which advanced PAM tools provide, according to Dickson. With a PAM tool, you can quickly create and share a report of all privileged account use that puts auditors at ease.

6.Integration with IT and Security Software

One of the challenges security and IT teams face is system sprawl; multiple, disconnected technologies that don’t connect. If you have to go to a password tool to manage credentials and reports, and then a SIEM tool to view other security tools, you’ll waste valuable time and there’s a good chance you’ll miss something important. PAM tools integrate with other key IT tools, such as SIEM tools for software management and reporting.

Richard Wang

Richard has spent more than 20 years working on information security products for endpoint, web, email, digital forensics and incident response. At Thycotic he is the Senior Product Manager for Secret Server and spends his days helping organizations overcome the challenges of securing their data and infrastructure.